Commits

Peter Sagerson committed 9d3a7e3

Documentation and change log updates.

Comments (0)

Files changed (3)

+v1.1.3 - <date>
+---------------
+
+* Fix #33: Reject empty passwords by default.
+  
+  Unless AUTH_LDAP_PERMIT_EMPTY_PASSWORD is set to True,
+  LDAPBackend.authenticate() will immediately return None if the password is
+  empty. This is technically backwards-incompatible, but it's a more secure
+  default for those LDAP servers that are configured such that binds without
+  passwords always succeed.
+
+* Fix #39: Add support for pickling LDAP-authenticated users.
+
+
+.. vim: ft=rst nospell tw=80

docs/source/authentication.rst

 this by forcing usernames to lower case when creating Django users and trimming
 whitespace when authenticating.
 
+Some LDAP servers are configured to allow users to bind without a password. As a
+precaution against false positives,
+:class:`~django_auth_ldap.backend.LDAPBackend` will summarily reject any
+authentication attempt with an empty password. You can disable this behavior by
+setting :setting:`AUTH_LDAP_PERMIT_EMPTY_PASSWORD` to True.
+
 By default, all LDAP operations are performed with the
 :setting:`AUTH_LDAP_BIND_DN` and :setting:`AUTH_LDAP_BIND_PASSWORD` credentials,
 not with the user's. Otherwise, the LDAP connection would be bound as the

docs/source/reference.rst

 nested groups, the Django database will end up with a flattened representation.
 
 
+.. setting:: AUTH_LDAP_PERMIT_EMPTY_PASSWORD
+
+AUTH_LDAP_PERMIT_EMPTY_PASSWORD
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Default: ``False``
+
+If ``False`` (the default), authentication with an empty password will fail
+immediately, without any LDAP communication. This is a secure default, as some
+LDAP servers are configured to allow binds to succeed with no password, perhaps
+at a reduced level of access. If you need to make use of this LDAP feature, you
+can change this setting to ``True``.
+
+
 .. setting:: AUTH_LDAP_PROFILE_ATTR_MAP
 
 AUTH_LDAP_PROFILE_ATTR_MAP